#VU108911 Inefficient regular expression complexity in GL.iNet products - CVE-2025-2811

Vulnerability identifier: #VU108911

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-2811

CWE-ID: CWE-1333

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
GL-AX1800 Flint
GL-AXT1800 Slate AX
GL-MT2500 Brume 2
GL-MT3000 Beryl AX
GL-MT6000 Flint 2
GL-B3000 Marble
GL-A1300 Slate Plus
GL-X300B Collie
GL-X3000 Spitz AX
GL-XE3000 Puli AX
GL-SFT1200 Opal
GL-X750 Spitz
GL-MT1300 Beryl
GL-E750/GL-E750V2 Mudi
GL-XE300 Puli
GL-AR750 Creta
GL-AR750S-EXT Slate
GL-AR300M Shadow
GL-AR300M16 Shadow
GL-B1300 Convexa-B
GL-MT300N-V2 Mango
GL-BE3600 Slate 7

Software vendor:
GL.iNet

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Install updates from vendor's website.

• https://www.gl-inet.com/security-updates/security-advisories-vulnerabilities-and-cves-apr-24-2025/
• https://jvn.jp/en/vu/JVNVU93247159/index.html